Information technology systems are subject to various threats. For example, transmitted information may be tapped and altered by an unauthorized third party. A further threat in communication between two communication parties is that of the feigning of a false identity of one communication party.
These and other threats are countered by various security mechanisms which are intended to protect the information-technical system from the threats. A security mechanism used for safeguarding purposes is the encoding of the transmitted data. In order that the data in a communication relationship between two communication parties can be encoded, steps which prepare the encoding first have to be taken before the transmission of the actual data. The steps may comprise, for example, the two communication parties agreeing to a cryptographic algorithm and, if appropriate, agreement being reached on the common secret key.
The security mechanism of encoding takes on particular significance in the case of mobile radio systems, since the transmitted data in these systems can be tapped by any third party without any particular additional effort.
This leads to the requirement for a selection of known security mechanisms to be made and these security mechanisms to be suitably combined, and also for communication protocols to be specified, such that they ensure the security of information-technical systems.
Various asymmetric methods for the computer-aided exchange of cryptographic keys are known. Asymmetric methods which are suitable for mobile radio systems are those described in A. Aziz, W. Diffie, "Privacy and Authentication for Wireless Local Area Networks", IEEE Personal Communications, 1994, pages 25 to 31 and M. Beller, "Proposed Authentication and Key Agreement Protocol for PCS", Joint Experts Meeting on Privacy and Authentication for Personal Communications, P&A JEM 1993, pages 1 to 11.
The method described in A. Aziz, W. Diffie: "Privacy and Authentication in Wireless Local Area Networks", IEE Personal Communications, 1994, pages 25 to 31, relates expressly to local area networks and makes relatively high demands in terms of computing power on the computer units of the communication parties during the key exchange. Moreover, more transmission capacity is required in the method than in the method according to the invention, since the length of the messages is greater than in the case of the method according to the invention.
The method described in M. Beller, "Proposed Authentication and Key Agreement Protocol for PCS", Joint Experts Meeting on Privacy and Authentication for Personal Communications, P&A JEM 1993, pages 1 to 11 does not have integrated in it some fundamental security mechanisms. Explicit authentication of the network by the user is not achieved. Moreover, a key transmitted by the user to the network is not confirmed by the network to the user. There is also no assurance provided that the key for the network is fresh (up-to-date). A further disadvantage of this method is that of the restriction to the Rabin method in the implicit authentication of the key by the user. This restricts the method in terms of a more flexible applicability. In addition, no security mechanism which ensures the incontestability of transmitted data is provided. This is a considerable disadvantage, in particular also in the preparation of incontestable charge accounts for a mobile radio system. The restriction of the method to the signature function used by the National Institute of Standards in Technology as a Digital Signature Standard (NIST DSS) restricts the method in its general applicability.